@Paul_Wilkins Malicious injection of code effectively.
Basically I’m making a sandbox like jsfiddle mainly for myself but I may open it out at a later date to other people. I would like to do what I can to ensure that the code that’s executed from that Form / iframe is client side only to stop (as much as is possible) the security flaws inherent from doing such a thing. I read that the way some sites do this is by ensuring that only client side javascript is run therefore server side is “somewhat” safe?
I realise that its not going to be easy to secure this kind of thing completely, but I would like to do what little I can initially to segregate the two sides of the coin if you understand me
@Paul_Wilkins Interesting reading, though this seems to block some of the things I need and javascript seems to be on or off as oppose to being local only.
I will read up a bit more on it, thanks for the link.
Hmm no its not ajax specifically. I think the problem is I don’t know what I need to do its basically a jsfiddle sandbox. I just know that if I open this up ‘as is’, it would be a security hole the size of the moon. Currently its ‘same domain’, ‘javascript allowed’ and is dynamically updating an iframe (by JS, i.e. $('#iframe').contents().find('body').html(html);). I think the only way I am going to be able to secure this is make it cross domain, which means the dynamic updating of the html will break (in its current form). I think I understand now why that functionality isn’t in a lot of these sandbox type tools
However I could then try and do this by ajax I suppose. I am going to have to do some more research, but I thank you for your help.
iframe sandboxing does seem like a good option though, actually … I wonder if this does even block it 2 way. I will give this a try tonight … it might be “cross fingers” that the sandbox option only blocks child to parent on same domain … that would be ideal.
The sandbox attribute will block all cross-frame communication, irrespective of domain. It effectively implements the cross-domain security policy for all domains, as though the iframe page were on a different one.
For the application you’re talking about, that’s not gonna be any good – if each “window” within the fiddle is a different iframe, then you need cross-frame access to make it work at all.
I think the first thing you need to do is identify exactly what the security risks are. It sounds like you don’t have a clear idea of what you’re trying to prevent, just a general sense that security risks exist. If you could establish a better sense of exactly what you want to allow and what you want to block, then you’ll have a good starting point for working out how to do it.